From owner-freebsd-arch Sat Sep 2 16: 3: 3 2000 Delivered-To: freebsd-arch@freebsd.org Received: from Awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 6DFF737B424; Sat, 2 Sep 2000 16:02:49 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by Awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA81538; Sun, 3 Sep 2000 00:03:15 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.0/8.11.0) with ESMTP id e82N2d776018; Sun, 3 Sep 2000 00:02:39 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200009022302.e82N2d776018@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Brian Somers Cc: Kris Kennaway , "Jacques A. Vidrine" , Neil Blakey-Milner , Poul-Henning Kamp , Dan Nelson , sthaug@nethelp.no, ume@FreeBSD.ORG, arch@FreeBSD.ORG, freebsd-arch@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: setuid ssh should die In-Reply-To: Message from Brian Somers of "Sat, 02 Sep 2000 23:57:20 BST." <200009022257.e82MvK775931@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 03 Sep 2000 00:02:39 +0100 From: Brian Somers Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > On Sat, 2 Sep 2000, Brian Somers wrote: > > > > > > > What do people reckon then (-arch cc'd) ? I'll add > > > > > > > > #ENABLE_SUIDSSH= true > > > > > > > > to etc/defaults/make.conf then mention it in ssh_config and make the > > > > adjustment to the ssh build so that it defaults to *not* being suid. > > > > > > I have no problems making ssh non-suid by default since most people dont > > > use RhostsRSAAuthentication. > > > > > > Since I have ssh changes in the works please send me the patches and I'll > > > apply them after the upgrade. Please add information to the manpage on how > > > to fix it, and a helpful error telling them what to do when the user tries > > > to use it. > > > > That's no problem, except for the ``helpful error'' bit. I don't > > think ssh should attempt to interpret the failure to bind a socket. > > The perror() should be sufficient in my book. > > Wait... I'm missing something here. It seems that ssh will exec rsh > when FallBackToRsh is enabled. It therefore doesn't need root for > anything I know of. > > Can anybody enlighten me ? Is RhostsRSAAuthentication where .shosts is used on the server ? -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message